Yes, I converted the PEM certficiate + key to PKCS12 format. I received no errors when doing so. The following command shows the correct certificate details :
<code>openssl pkcs12 -in cert.pkcs12</code>
So I don't believe the PKCS12 version of the cert is corrupted or broken.

The process was not at all intuitive, but I have finally produced a keystore file which tomcat accepts. I can access my Zimbra installation via https on tcp 443 and 7071; I don't get browser warnings about the certificate; and displaying the certificate details from within my browser shows that it is using the cert we bought.

Here's how I did it with Keytool IUI. This is likely incomplete, as I wasn't diligently taking notes since I didn't actually expect it to work.

* convert the certificate + key into PKCS12 format, using "zimbra" as the export password (openssl -inkey cert.key -in cert.pem -export -out cert.p12)
* start Keytool IUI ( ./run_ktl_plus.sh )
* Create Keystore -- use "zimbra" as the password
* Import Private key from other keystore
** select PKCS12 as the format, and open cert.p12 (the PKCS12 version of the certificate)
** use "zimbra" as the source keystore password
** select the keystore file you created above, and leave the format at JKS
** use "zimbra" as the target keystore password
* select the certificate, and click OK
* use "tomcat" as the alias for the private key
* use "zimbra" as the password
* click OK
* view the keystore, and confirm that the "tomcat" alias was created

* Back up /opt/zimbra/tomcat/conf/keystore
* stop tomcat
* Install the keystore you just created to /opt/zimbra/tomcat/conf/keystore
* start tomcat
* confirm you can access https://example.com:7071 and https://example.com/